[ntp:questions] Re: Configuring a server and clients behind a firewall

Steve Kostecke kostecke at ntp.isc.org
Tue Feb 1 16:37:07 UTC 2005


On 2005-02-01, Ronan Flood <ronan at noc.ulcc.ac.uk> wrote:
> Steve Kostecke <kostecke at ntp.isc.org> wrote:
>
>> Here are some barebones configuration files. They do not contain any
>> restrictions. If you do want to use restrictions you will not be able to
>> use server host names that resolve to multiple IP addresses (e.g.
>> *.pool.ntp.org).
>
> Isn't that a bit sweeping?  You should be able to use, say,
>
>   restrict default nomodify notrap nopeer
>   restrict 127.0.0.1

True. But if you understand how things like remote modification work
it's obvious that "nomodify" is redundant. Ditto for "nopeer". As for
traps, that's a monitoring feature for which there are no known clients
outside of a script in the NTP distribution.

> without affecting anything, and maybe also add noserve and/or noquery
> to the default depending on how tightly controlled you want to be.

"noserve" blocks time packets and puts you back in the position of
needing to know the IP addresses of your remote time servers.

"noquery" should be considered "user-hostile" if you are supplying time
to others. Would you believe, or want to use, a public time server that
refused to disclose its time sources?

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/



More information about the questions mailing list